GDPR in e-commerce: How a business can make its online shop legally compliant

Checkout
Checkout

Stripe Checkout is a prebuilt payment form optimised for conversion. Embed Checkout into your website or direct customers to a Stripe-hosted page to easily and securely accept one-time payments or subscriptions.

Learn more 
  1. Introduction
  2. Why was the GDPR introduced?
  3. What are the key provisions of the GDPR?
    1. Principles of data processing
    2. Lawfulness of processing
    3. Rights of the data subjects
    4. Responsibilities of the controller
  4. What is the significance of the GDPR in e-commerce?
  5. What requirements must e-commerce businesses meet to comply with GDPR regulations?
    1. Privacy policy
    2. Cookie policy
    3. Technical and organisational measures
    4. Consent for advertising and information offers
    5. Data processing agreements
    6. Appointment of data protection officers
  6. What penalties do businesses face if they fail to comply with the GDPR?

Since 2018, the General Data Protection Regulation (GDPR) has regulated all aspects of data protection in Europe and nationally. In particular, e-commerce businesses that operate an online store should ensure they comply with numerous requirements when processing personal data.

In this article, you will learn why the GDPR was introduced, what the main provisions of the regulation are, and what it means for e-commerce businesses. We also explain the requirements businesses must meet to comply with the GDPR and the penalties that can apply if they do not.

What’s in this article?

  • Why was the GDPR introduced?
  • What are the key provisions of the GDPR?
  • What is the significance of the GDPR in e-commerce?
  • What requirements must e-commerce businesses meet to comply with GDPR regulations?
  • What penalties do businesses face if they fail to comply with the GDPR?

Why was the GDPR introduced?

The GDPR was introduced to standardise data protection across the European Union (EU) and to improve the protection of personal data in an increasingly digital world. Before the GDPR, EU member states had different data protection laws. This resulted in significant differences in the level of protection and posed a challenge for businesses operating in multiple countries. The GDPR establishes a single legal framework that applies to all EU countries.

The primary objective of the GDPR is to protect individuals regarding the processing of personal data. The regulation is intended to promote citizens’ trust in the handling of their data. The GDPR lets businesses in the EU operate more efficiently because they can adhere to uniform data protection standards.

In Germany, data protection was regulated by the Federal Data Protection Act (BDSG) until the introduction of the GDPR. This act has been adapted and is considered a supplement to the GDPR – especially in areas in which the GDPR leaves the member countries some discretion.

What are the key provisions of the GDPR?

The GDPR contains several key provisions in 11 chapters and 99 articles. Here is an overview of the most important ones:

Principles of data processing

Article 5 of the GDPR regulates the principles for the processing of personal data. Among other requirements, the data must be:

  • Processed lawfully and transparently for the data subject
  • Collected and processed for specified, explicit, and legitimate purposes
  • Processed to only the extent necessary for the respective purpose
  • Up to date and correct
  • Deleted if no longer required for the purpose of processing
  • Protected by technical and organisational measures to prevent unauthorised access, loss, or destruction

Lawfulness of processing

Article 6 of the GDPR stipulates data can be processed only if one of the following legal bases applies:

  • Consent of the data subject
  • A contract with the data subject
  • Processing is necessary to comply with a legal obligation
  • Processing is necessary to protect the vital interests of the data subject or of another natural person
  • Processing is necessary for the performance of a task carried out in the public interest
  • Processing is necessary to safeguard the legitimate interests of the controller or of a third party, unless the interests or fundamental rights of the data subject are overridden.

Rights of the data subjects

Chapter 3 of the GDPR regulates the various rights of data subjects regarding the handling of their data.

  • Data subjects have the right to know what personal data is stored about them, how it is processed, and with whom it is shared (Article 15 GDPR).
  • Incorrect or incomplete personal data must be corrected at the request of the data subject (Article 16 GDPR).
  • Data subjects can, under certain conditions, ask for their data to be deleted (Article 17 GDPR).
  • Data subjects have the right to receive their data from the controller in a structured, common, and machine-readable format (Article 20 GDPR).
  • Data subjects can object to the processing of their data for certain reasons, in particular processing for direct marketing purposes (Article 21 GDPR).

Responsibilities of the controller

Chapter 4 lists the obligations of the controllers and processors. These include the following obligations, among others:

  • Controllers must ensure those who process personal data on their behalf also meet the GDPR requirements (Article 28 GDPR).
  • Data breaches must be reported by those responsible to the competent supervisory authority within 72 hours if they result in a risk to the rights and freedoms of individuals (Article 33 GDPR).
  • For certain types of data processing that pose a high risk to the rights and freedoms of data subjects, controllers must carry out a data protection impact assessment (Article 35 GDPR).

What is the significance of the GDPR in e-commerce?

The GDPR is critical for e-commerce businesses because they process large amounts of personal data. Customer information such as name, address, payment details, and order history are essential to the operation of an online store. This means the GDPR has a significant impact on the design and legal framework of e-commerce business models.

Negligent handling of personal data in online shops can result in a data protection violation, leading to legal disputes, regulatory sanctions, and damage to the business’s image. This is why online shop operators in particular need to be familiar with the GDPR and the obligations it imposes.

For example, a business is not allowed to collect a phone number if it is not needed for ordering and delivery. Only data that is necessary for the delivery and payment of ordered goods may be collected.

Similarly, marketing information, such as email addresses for newsletters, may be collected and used only with the customer’s express consent. Credit card information should also be stored only for as long as necessary to complete the payment process. Information such as date of birth may be collected only if it is necessary for age verification – for example, when selling age-restricted goods. Learn more about e-commerce payments.

What requirements must e-commerce businesses meet to comply with GDPR regulations?

To comply with GDPR regulations, e-commerce businesses must meet a variety of requirements. These are largely derived from the above-mentioned rights of the data subjects (Chapter 3 of the GDPR) and the obligations of the controllers (Chapter 4 of the GDPR).

Privacy policy

E-commerce businesses must provide a comprehensive privacy policy. It must explain transparently and comprehensively what personal data is collected, for what purpose, how the data is processed, and what rights the data subjects have. The privacy policy must be easy to find (e.g. in the website footer or as a direct link when accessing the page). Article 13 GDPR lists all information required in a GDPR-compliant data protection declaration. These include:

  • The name and contact details of the data controller
  • Where applicable, the name and contact details of the data protection officer
  • The legal basis and the purposes of the processing of personal data
  • An indication of the controller’s legitimate interests, if the data processing is based on them (see Article 1(1)(f) of the GDPR)
  • The recipients of the personal data in case of disclosure
  • The duration of the storage of personal data
  • The rights of the data subjects, including the rights of access, rectification, erasure, objection, revocation and restriction of processing
  • The description of the consequences of not providing personal data

The processing of personal data that is not necessary for the performance of the contract requires the informed consent of the user. This applies in particular to the use of cookies, which are text files that are temporarily stored in the user’s browser. Technically necessary cookies are used, for example, to display the appropriate language of the website for the user or to store the contents of the shopping cart.

Cookies are essential to the proper functioning of websites, and they are used to create user profiles for personalised advertising. This can be critical in some cases because statistical and personal data is stored. For this reason, users must be given the opportunity to consent to the storage and processing of cookies. A simple “cookie banner” is sufficient only if it offers the option to reject or adjust cookie settings.

Technical and organisational measures

To protect personal data from third-party access, among other things, online shops must take technical security precautions. These include the encryption of the data transmission – for example, through the hypertext transfer protocol secure (HTTPS) (Article 32 GDPR). This requires a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) certificate. Online shops must also ensure personal data is stored securely (e.g. in encrypted databases). Data backups are also mandatory.

Customer email addresses cannot automatically be used to send newsletters, advertising, or information offers. This requires active consent from customers. With the entry into force of the GDPR, the double opt-in procedure is required based on Article 7 and Article 8 of the regulation. “Opt-in” can be loosely translated as “to decide on something” or “to choose.” Double opt-in requires customers to confirm twice. They must first be asked whether they would like to receive a newsletter, for example. If this is confirmed by registering – and the associated transmission of the email address – a second step follows: businesses must send a confirmation link that must be clicked to activate the offer.

Data processing agreements

If external service providers process personal data from an online shop, data processing agreements must be concluded. This is the mandatory requirement for the transfer of data to third parties. Data protection agreements ensure third parties also comply with the GDPR. Typical service providers for online shops are payment service providers or providers of cloud services and software-as-a-service (SaaS) solutions.

This is where Stripe Checkout can help you: a ready-made payment form that enables a smooth checkout process. Checkout can be integrated into your website or redirect customers to a page hosted by Stripe. There, payments or subscriptions can be accepted easily, securely, and in compliance with the GDPR.

Appointment of data protection officers

According to Article 37 GDPR, the appointment of data protection officers for an online shop is mandatory under certain conditions. They monitor compliance with the GDPR and act as contacts for supervisory authorities and data subjects.

What penalties do businesses face if they fail to comply with the GDPR?

According to Article 83 GDPR, businesses can be subject to heavy fines if they violate data protection rules. These range up to €20 million or 4% of the business’s annual worldwide turnover. For example, it is an administrative offence to intentionally, knowingly, or negligently conceal the sender or the commercial nature of a message. The same applies to the collection, processing, or storage of personal data in violation of the law. In addition, the data subjects must always be informed about the collection of data.

The content in this article is for general information and education purposes only and should not be construed as legal or tax advice. Stripe does not warrant or guarantee the accuracy, completeness, adequacy, or currency of the information in the article. You should seek the advice of a competent lawyer or accountant licensed to practise in your jurisdiction for advice on your particular situation.

Ready to get started?

Create an account and start accepting payments – no contracts or banking details required. Or, contact us to design a custom package for your business.
Checkout

Checkout

Embed Checkout into your website or direct customers to a Stripe-hosted page to easily and securely accept one-time payments or subscriptions.

Checkout docs

Build a low-code payment form and embed it on your site or host it on Stripe.